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Digital Transformation is Driving IT 
Transformation for Organizations 
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Public Clouds 


Private Clouds 
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... But creates new Challenges for Security 


Don’t know how many assets you have 


Don't know when those assets are running 
Credential issues / Authentication failures 
Monthly / weekly scanning too slow [WannaCry] 
Can't scan remote users 
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Qualys Sensors 


Scalable, self-updating & centrally managed 


© 
Physical 


Legacy data 
centers 


Corporate 
infrastructure 


Continuous 
security and 
compliance 
scanning 
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Virtual 


Private cloud 
infrastructure 


Virtualized 
Infrastructure 


Continuous 
security and 
compliance 
scanning 
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Cloud/Container 


Commercial laaS & 
PaaS clouds 


Pre-certified in market 
place 


Fully automated with 
API orchestration 


Continuous security and 
compliance scanning 
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Cloud Agents 


Light weight, multi- 
platform 


On premise, elastic 
cloud & endpoints 


Real-time data 
collection 


Continuous evaluation 
on platform for security 
and compliance 


Passive 


Passively sniff on 
network 


Real-time device 
discovery & 
identification 


network traffic 


analysis 


dentification of APT 


Extract malware files 
from network for 


[s] 


API 


Integration with 
Threat Intel 
feeds 


CMDB 
Integration 


Log connectors 
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Qualys Cloud Agent Platform 


oe 
eo 


© XO 


Lightweight On-Premise 
Software Agent senes 
Public Cloud 
(collects metadata only) 
User 
Endpoints 


Windows 


Linux 
Mac 
AIX 


Cloud Native 


Delivers 
Multiple 
Built-in 
Security 
Functions in 


one Agent 
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Qualys Cloud Agent 


IT, Security, and Compliance Apps 
Delivered by a single agent 

Ø Asset Inventory 

Vulnerability Management 

Policy Compliance 

Indication of Compromise Detection 
ð File Integrity Monitoring 


Pm) Patch Management 


DESKTOP-NUQIUSM 
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Agent Modules 
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OTETA 
Platform 


Cloud Agent 


Central Management / API 


Qualys Suite of 
Applications 


Efficient Network Usage 
(Delta Processing average) 


Lightweight Metadata 
Collection (tunable) 


Windows, Linux, Mac, AIX 


6 — 50 KB / day 
"1-296 CPU 


3 MB application 
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De p | Oy e n d New Activation Key TT oc 
Manage Apps on =e 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
O Ç | | A t this key is unlimited - it allows you to add any number of agents at any time. 
n e O u g e n Title Global. User. Endpoints 


[ Enapoint asset Ri 


Select | Create 


End the fight with IT to deploy 
security agents! 


Provision Key for these applications 


VM Vulnerability Management PC Policy Compliance 
98218 Licenses Remaining 98225 Licenses Remaining 


E n a b l i n g a n a p p l i Ca t i O n d O e S n ot , FIM File Integrity Monitoring IOC Indication of Compromise 


995 Licenses Remaining 98804 Licenses Remaining 


require redeployment or reboot of | oe 


9881 Licenses Remaining 


the system 


| Set limits 


Self-updating, version control, NN Unlimited key (Generate) 
elastic lifecycle management 
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Cloud Agent 
Extends 
Network Scanning 


[Hi 


No scan windows needed - always collecting 
Find vulnerabilities faster 

Detect a fixed vulnerability faster 

Many new Apps only available on Agent 


Best for assets that can't be scanned 
Unable to get credentials / authentication failures 
Remote systems in branch offices / NAT 

Roaming user endpoints 


Cloud / Elastic deployments 
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Cloud Agent CPU Tuning - Linux 


VM: « 1.296 CPU peak usage for less than 15 mins 


CPU Utilization ( Percent ) 
AWS EC2 


tic: Average Time Range: 


st 12 Hours v | Period: | 15 Minutes v e 


not allowed to 
Scan nano, micro, 


or small instances 
using network 
scanning 


AWS t2.micro instance running Cloud Agent 
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oud Agent CPU Tuning - Windows 


L Performance Monitor [s] 


File Help 


mpm -4xX2/5B98&|lHbMIE 
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90 


80 


70 


Tunable CPU Limit 


Example: 896 configured max on 1-core 


50 


(Effective: «296 on 4-core) 


30 


20 


10 
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Mon 3/20/17 Tue 3/21/17 


«MT LI 


Last | 0.060 Average 1327 Minimum 0.000 Maximum 99.890 Duration 17:17:03 


Show Color Scale Counter Parent Object Computer 


I ie % User Time — = Process 
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Cloud Native - Collect Provider Metadata 


AWS EC2 Microsoft Azure Google Compute IBM Cloud 
Platform 


accountld 

amild 
availabilityZone 
hostname 
hostnamePublic 
instanceld 
instanceType 
kernelld 
macAddress 
privatelpAddress 
publiclpAddress 
region 
reservationld 
securityGrouplds 
securityGroups 
subnetld 

VPCId 


dnsservers 

ipv6 

location 
macAddress 
name 

offer 

osType 
privatelpAddress 
publiclpAddress 
publisher 
resourceGroupName 
tags 

subnet 
subscriptionld 
version 

vmid 

vmSize 


hostname 
instanceld 
macAddress 
machineType 
network 
privatelpAddress 
projectlid 
projectIdNo 
publiclpAddress 
zone 


Agent collects metadata locally without Connector 


Coming June 2019 


datacenterld 
deviceName 
publiclp 
privatelp 

id 
publicVlan 
domain 
privateVlan 
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2019 Cloud Agent Application Roadmap 


Cloud App 


Patch 
Management 


Vulnerability 
Management 


Policy 
Compliance 


Indication of 
Compromise 


Asset Inventory 


Q1 
Released 


General 
Availability 


User Defined 
Controls 


Q2 Q3 Q4 


Linux Mac 


Middleware Auto- 
Discovery 
Middleware Auto- 
Discovery 
Scan by Policy 


Remediation 


Threat Feed TM Mac 
Alerts/Actions Network IOCs 


Detect Unmanaged 
Assets on the Network 


Roadmap schedule subject to change 
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Announcing 


Cloud Agent Gateway 


Available Now on Shared Platforms 


Cloud Agent Deployment Questions 


| am not able to run Cloud Agent on assets that do not 
have direct access to the Internet due to security policies 


| am (A) not able to use existing proxies deployed by IT or 


(B) are not able to buy/manage an open-source or full- 
fledged commercial proxy 


| wish to optimize the bandwidth utilized by large Cloud 
Agents deployments and Patch Management 
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Qualys Cloud Agent Gateway (CAG) 


A Qualys-developed HTTP proxy/cache running on a new virtual appliance 
platform 


Separate appliance from the Virtual Scanner 
CAG appliances are downloaded and managed from Qualys Platform UI 


Cloud Agents use existing agent proxy capabilities to connect through CAG 
to connect to the Qualys platform 
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How it works Qualys Platform: 


CAG virtual appliance is downloaded from UI by 


customer, run locally, and registers appliance. © 


Download 
Management 


Logging 


CAG Virtual Appliance 


Cloud Agent Gateway (CAG): 

Virtual appliance with Docker containers 
providing HTTPS Proxying, Caching, Load 
Balancing, High-Availability, and Logging. 


Agent 
communication 


Cloud Agent: 
Agents use existing HTTPS Proxy features to 
connect to CAG 


(if no proxy, fail over to direct connection) 
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CAG Deployment . 


Internet 


Customer Remote Network 


Direct Connection Network 


Restricted Access Network 
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Expanded CAG Use Cases 


Proxy/caching for Patch Management patch downloads 


Recommended/Required for on-premises agents 
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Qualys Indication of Compromise 


Bringing IOC to the Next Level 


Chris Carlson 
VP, Product Management, Qualys, Inc. 


Adversary TTPs are Changing 


Early 2010s 


Zero-day Vulnerabilities 
(Nation State, Industrial Espionage, Black Market) 


Today 
Rapidly weaponizing newly-disclosed vulnerabilities 


(Lesser Nation State, Industrial, Organized Crime) 
Good, Fast, Cheap - Pick all 3 
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Known Critical Vulnerabilities are 
Increasing 


6-7K vulnerabilities are disclosed tite 
each year* 


30-40% are ranked as "High" or 
"Critical" severity 


"Mean Time to Weaponize" (MTTW) is 
rapidly decreasing y/y 


1 02 2003 2004 2005 2006 2007 2008 2009 201 
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Adversaries are Evading Anti-Virus Detection 


Multiple Symantec Products CVE-2018-12238 Local Security Bypass Vulnerability 


Bugtraq ID: 105917 

CVE: CVE-2018-12238 

Remote: No Local: Yes 
Published: Nov 28 2018 12:00AM 
Credit: Qualys Malware Research Lab 


CI 371337 


Vulnerable: 
Symantec Norton AntiVirus 22.7 QID 371338 
Symantec Norton AntiVirus 21.0 

Symantec Norton AntiVirus 17.6.0.32 
Symantec Endpoint Protection Cloud 12.1.6 
Symantec Endpoint Protection Cloud 14 
Symantec Endpoint Protection 12.1.6 MP4 
Symantec Endpoint Protection 12.1.6 

* 95 other products 
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Vulnerability Management Lifecycle 


Asset Vulnerability 
Inventory “Pore —- Management 
P 
$ 
"d "s Threat Risk and 
Patch Prioritization 
Management 
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Get Proactive - Reduce the Attack Surface 


Immediately Identify Vulnerabilities in Production 
Notify IT Asset Owner to Patch/Stop the Instance 
Change Configuration to Limit Access (Policy Compliance) 


Control Network Access / Cloud Security Groups 
Add Detection and Response — Endpoint & Network 
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Proactively Hunt, Detect, and Respond 


Indication of 


% 
22 . 
' ti Passive Network 
Compromise 2 
3 ap Sensor 
Z 
Detect IOCs, IOAs, and verify j D 
Threat Intel J Ei 
X 


What new devices are on the network? 
Are there new/different traffic 
patterns? 
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Organizations Struggle to Answer 
Basic Threat Questions 


Are these hashes on/running in my network? 
Or these mutexes / processes / registry keys? 


Did any endpoints connect to these IPs / Domains? 
Are there any connections to TOR exit nodes? 


What system is the first impacted? "Patient Zero" 
Did this spread to others systems? When? 
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Qualys IOC - Visibility Beyond Anti-Virus 


Threat Intel Verification Detect Malware missed 
by Anti-Virus 


Threat Intel Feeds / Mandated to Verify 


"Is this hash, registry, process, mutex on my network?" Using Qualys Malware Labs behavior models and leading 
p 4 commercial Threat Feed 


API & 


Alerting 


Hunting / “Look Back” Investigation 


Find Suspicious Activity after a known breach 


Indicator of Activity hunting with pre-built and 


l : Go back over months of stored endpoint events and find 
user-defined queries 


the first occurrence of a breach 
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Threat Intel Verification 


e Search for the file hash here... 


NotPetya Ransomware spreading using ETERNALBLUE Vulnerability and Credential Stealing 


October 6, 2017 


On June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and © Qualys. Enterpr 
affecting multiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files 


il j " Indication of Compromise DASHBO HUNTING CIDENTS SSETS Quale Demo! Ld) 
with extensions from a hard-coded list. P ualys Demo (quays. q: 


Additionally, if the malware gains administrator rights, it encrypts the master boot record (MBR), making Hunting 
the infected Windows computers unusable. NotPetya differs from previous Petya malware primarily in 
its propagation methods using the ETERNALBLUE vulnerability and credential stealing via a modified d926e76030f19f1f7efb3cdla4e80f9 Last7Days Y 


2 


Total Event- 


version of Mimikatz. 
Technical Details 


Anti-Virus Coverage 


VirusTotal reports 0/66 anti-virus vendors have signatures for the credential stealer as of the 
date of this report 
NO REMAINING FILTERS 


TIME v OBJECT ASSET 


Delivery — MD5: 71b6a493388e7d0b40c83ce903bc6b04 


Installation — MDS: 7e37ab34ecdcc3e77e24522ddfd4852d Mesi B voeem begin 


Credential Stealer (new) — MD5: d926e76030f19f1f7ef0b3cd1a4e80f9 
WIN7-320860-T44 


RARES , 4.109 
Secondary Actions 


NotPetya leverages multiple propagation methods to spread within an infected network. 
According to malware analysis, NotPetya attempts the lateral movement techniques below: 


e Threat Intelligence lists attack e Find the object there. 
information ... 
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Detect Malware Missed by Anti-Virus 


UK Government Contractor : 
- “Big 4” Anti-virus installed -onnecsamnereoncowt co 
- Qualys Agent for Vulnerability Mgmt 
- Added Qualys IOC on existing agents 


dione 


Qualys IOC discovered... 

- Dridex Banking Trojan (51) 

- 4 Domain Controllers infected 

- Backdoors (7) installed due to 
phishing campaigns 

- Netcat (8) root kits installed a enn mnm 

- 46 PUAs installed À 


ELDORADO BACKDOOR - PHISHING CAMPAIGN NETCAT - ROOTKIT/HACKER TOOL 


octava3 


46 


lexusgs400 
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Malware Detection & Scoring - Actionable Responses 


Qualys IOC 
Detection and 
Scoring Engines 
Event Telemetry: 
file, process, mutex, network, registry 


m mn | idi Commercial 


Threat 
Feed 


Qualys 


FEE z Malware 
JEE - 


Labs 


HP 


Confirmed — Malicious Process w/ 
Network Connection 


Confirmed — Malicious Process 


Confirmed — Malicious File 


Medium Confidence Suspicious — Process w/ 
Network Connection 


Medium Confidence Suspicious — Process 


Medium Confidence Suspicious — File 


Low Confidence Suspicious — Process 
w/ Network Connection 


Low Confidence Suspicious — Process 
Low Confidence Suspicious — File 
Remediated - Indicator no longer present 


Known Good 
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Pre-Defined & Ad Hoc Threat Hunting 


(9) Qualys. Enterprise 


Indication of Compromise 


Qualys: Suspicious Process Usage ¥ 


+ Last 30 Days "Y 


PROCESS SHOULD NOT RUN FROM RECYCLE BIN 


JAVA SHOULD NOT HAVE NETWORK CONNECTIONS 


DASHBOARD 


POWERSHELL OBFUSCATION ENCODED COMMAND 


SVCHOST PROCESS NOT RUNNING FROM WINDOWS DIRECTORY 


VERCLSID.EXE SHOULD NOT HAVE NETWORK CONNECTIONS 


Suspicious process 
analysis to detect: 


e “Fileless” malware 
attacks 


e Non-malware attacks 


* Malware evasion 
techniques 


* Compromised 
processes 
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Find Malware using Stolen Code-Signing Certificates 


July 2018 March 2019 
Certificates stolen from D-Link and others Hackers dropped a secret backdoor in Asus' 
used by cyberespionage group update software 


we security » cm Gere Dita Sgnaues Securty Deus Previous Version i Cenifcate 


General Details Certification Path 


J Certificate Information 


Digital Signature Information 
This digit: 


P This certificate is intended for the following purpose(s): 


Certificates stolen from 
Taiwanese tech-companies 


* Refer to the certification authority's statement for details. 


misused in Plead malware T- | e 
| ef: | m pa i e n aa | Issued by: DigiCert SHA2 Assured ID Code Signing CA 


Valid from 6/20/2018 to 6/22/2021 


D-Link and Changing Information Technologies code-signing certificates stolen and abused by highly 
skilled cyberespionage group focused on East Asia, particularly Taiwan 


Install Certificate... | Issuer Statement 


https://www. welivesecurity.com/2018/07/09/certificates- ES | = 
stolen-taiwanese-tech-companies-plead-malware- 
campaign/ https://techcrunch.com/2019/03/25/asus-update- 


backdoor/ © 
Qualys 


Real-Time Responses - Rules, Search, Widgets 


Activity Rule Manager Actions 


Q Search for alerts... 22 Apr 20191. v 


2.48K 


Total Activities 


— 


18:00 18:30 


RULE NAME 1-50 of 2484 


RL score LT 10 


All malware infec... CREATED BY 


All malware infections | Success | Post to Slack Qualys Demo 
ACTION NAME ae | Success 


23 minutes ago 
Verifying. RL. slac... 


Verifying. RL. Em... All malware infections Succ ) Send Email to Security ... Qualys Demo 
Post to Slack RL score » 0 
Send Email to Se... 


23 minutes ago 


All malware infections E j Post to Slack Qualys Demo 


See 


EMAIL RECIPIENTS RL score > 0 23 minutes ago 
priya.porwal2992... 


poorwalgqualys All malware infections E S Post to Slack Qualys Demo 


RL score » 0 23 minutes ago 


DEMO 


Indication of Edo 


Threat Intel Verification / Hunting 
Malware Detection 
Alerting 


5fdald49ad9e08035b3893796191aff/e1dab06079e2e50ff1dc13911c33aees 
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ccarlson@qualys.com 


